Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Apple fixed 39 vulnerabilities across Mac OS X and a slew of Mac applications. The company also released OS X 10.6.8, which may be the last major update to the operating system before version 10.7 "Lion" arrives next month.

Apple closed security holes in QuickTime, MobileMe, the MySQL implementation in OS X Server and AppStore in Security Update 2011-004, the company said in its support document June 24. In Mac OS X 10.6.8 (for Snow Leopard) Apple patched three bugs in the operating system and improved protection against MacDefender fake antivirus scams and related Trojans, according to Apple's KnowledgeBase article.

The OS X 10.6.8 update also has improved IPv6 and VPN support as well as implemented enhancements to the Mac App Store to "prepare" the Mac for the upgrade to the new Lion operating system, OS X 10.7, expected in July.

"The Mac OS X v10.6.8 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac," Apple said.

Further reading

The 2011-004 update includes all the Snow Leopard bug fixes as well improvements in AirPort network security, issues handling maliciously crafted files in ColorSync, CoreGraphics and ATS (Apple Type Services) and a Windows ID flaw in the Samba file-sharing protocol. All of these vulnerabilities, if exploited, would have allowed the attacker to run arbitrary code on the targeted Mac.

Apple also addressed a serious vulnerability in OS X's certificate trust policy, which governs how the Mac handles digital certificates. The vulnerability could be exploited by an attacker already in the network to eavesdrop and intercept user credentials and other sensitive data. The certificate trust policy flaw was identified and reported by two Google researchers.

The issue exists if an Extended Validation certificate didn't have an address to check its validity using the OCSP (Online Certificate Status Protocol). Even if the option to verify all certificates against the CRL (certificate revocation list) was selected, the error handling issue meant the list would not be checked and revoked certificates would be accepted as valid.

"This issue is mitigated as most EV certificates specify an OCSP URL," Apple said in its advisory.

Apple fixed five vulnerabilities in QuickTime, the default media player widely used on the Web. All the bugs could have been exploited by a remote attacker to run arbitrary code. Apple also addressed eight different remote code execution flaws in the MySQL implementation that ships with OS X Server. There were five issues with Apple's OpenSSL implementation, some of which were also remote code execution bugs, as well.

The way embedded TrueType fonts were being handled in Apple Type Services could cause a heap-based buffer overflow when a document containing a maliciously crafted embedded font was viewed or downloaded, according to Apple's advisory. The flaw, which could be exploited by an attacker to execute arbitrary code, was reported by two researchers from Red Hat Security Response Team.

An AirPort vulnerability in both desktop and server versions of Mac OS X 10.5.8 allowed attackers on the same Wi-Fi network to cause the Mac to do a system reset.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.